Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Identity and Access Management (IAM)
Industrial Cyber Attacks
Industrial IoT
IT/OT Collaboration
Malware, Phishing & Ransomware
News
OT Network security
Secure Remote Access
System Design & Architecture
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

US Congressional Subcommittee holds hearing on cybersecurity risks to water and wastewater systems

February 06, 2024
US Congressional Subcommittee holds hearing on cybersecurity risks to water and wastewater systems

The U.S. Congressional Subcommittee on Cybersecurity and Infrastructure Protection is conducting a hearing on Tuesday to address the concerns surrounding water and wastewater systems in the country. The focus of the discussion will be on the potential disruptions to operations and safety risks posed by these threats. Additionally, the hearing aims to explore the necessary measures required to enhance the security of operational technology (OT) in the water sector.

The witnesses to Tuesday’s hearing include Robert M. Lee, CEO and co-founder at Dragos; Charles Clancy, senior vice president and general manager at MITRE Labs and chief technology officer at MITRE; Kevin Morley, manager for federal relations at the American Water Works Association (AWWA); and Marty Edwards, deputy chief technology officer for Operational Technology and Internet of Things at Tenable

In his written testimony, Lee outlines that both government and industry have invested significantly in the cybersecurity of our nation’s critical infrastructure. “However, a vast majority of the focus has been on securing information technology (IT) networks. Less emphasis was traditionally placed on cybersecurity for operational technology (OT) and industrial control systems (ICS). These systems are the specialized computers and networks that interact with the physical world, including assets like a control system that opens a circuit breaker on an electric substation or operates pumps at a water facility.” 

He added that most executives and policy leaders are shocked to find that upwards of 95 percent of cybersecurity budgets go to the enterprise IT portions of the business and not the OT networks that can impact safety, and the environment, and generate revenue for the organization. OT systems are a critical part of critical infrastructure.

Lee focuses on three key points that are relevant to the Subcommittee and this hearing’s focus. The first point is that there are fundamental differences between the OT and IT that underpin the nation’s critical infrastructure. “IT is focused on how you enable and manage the business while OT is focused on why you are a business. The different missions, or purposes, of IT and OT systems dictate what is required of them and how organizations manage risk to them. The risks and threats to those systems, how the threats operate, the consequence of attacks, as well as the controls used to manage that risk, are also different across OT and IT environments,” he added. 

The second point that Lee highlighted was that the cyber threat landscape for OT and industrial control systems (ICS), including those used in facilities in the water and wastewater sector, has shifted irreversibly in recent years.

“The same digitalization, connectivity, and uniformity in OT that is enhancing efficiency and reliability for infrastructure owners and operators is also adding risk,” according to Lee. “This digital transformation of our industrial industries is necessary but without investing in cybersecurity in advance of that transformation the consequences will be dire. To minimize that risk and defend water systems and other infrastructure against those adversaries, the community must invest in and prioritize the cybersecurity of OT and ICS networks with a focus on implementing security controls that have demonstrated success against the methods used by those threat groups.” 

The third point Lee made was that the public and private sectors must continue to work together to make sure infrastructure owners and operators, including small and under-resourced organizations, have the information, tools, and resources they need to protect their systems. 

“Both government and industry have unique capabilities and insights that provide real value to operators of infrastructure, including water and wastewater systems. We need to remove barriers that those operators face in accessing information, tools, and equipment they need to defend their systems,” he identified. “We must also not forget that the issues are primarily an economics and awareness issue at our numerous municipally owned water utilities across this country. No amount of free vendor tools or taxpayer-funded cybersecurity services will alleviate this issue without addressing the core economic challenge.”

Lee also underscored that using weak or default credentials, which are often publicly available in the vendor’s documentation, for OT devices increases the threat of exposure. Several recent examples demonstrate adversaries exploiting ICS/OT exposed systems.

In November, CyberAv3ngers, a self-styled hacktivist collective, executed an exploitation campaign targeting Unitronics programmable logic controllers (PLCs) across multiple sectors, including the water and wastewater sector. The campaign employed unsophisticated methods such as secure shell (SSH) brute-forcing and exploiting default configurations.

This was followed by government agencies from the U.S. and Israel releasing a December joint Cybersecurity Advisory linking the activity to Iranian National Revolutionary Guard (IRGC) activities targeting an Israeli company. The campaign’s impact was notable, causing operational disruptions such as the shutdown of a water scheme in North Mayo, Ireland, and affecting wastewater treatment facilities in the U.S.

Lee also mentioned that adversaries are also targeting remote service technologies and solutions, as well as communications protocols. In 2023, Dragos observed an uptick in the water and wastewater sector in adversary actions using these types of connectivity.

While largely opportunistic, ransomware operators are increasingly attacking industrial organizations in several sectors, including water and wastewater, Lee observed. “Ransomware has primarily threatened organizations’ IT systems, without proper network hygiene, the connectivity between the IT and ICS/OT environments often provides a pathway for adversaries to attack ICS/OT systems directly.” 

He added that double extortion tactics used by ransomware operators add to the threat for water and wastewater organizations because releasing sensitive ICS/OT data and diagrams could provide other capable adversaries with valuable information they can use in campaigns with ICS/OT disruptive or destructive objectives.

In his conclusion, Lee said that to help secure OT in the water sector, “we must first understand the fundamental differences between the operational technology and information technology. The risks and threats to those systems, as well as the controls used to manage that risk, are also different across OT and IT environments. The cyber threat landscape for the OT environment has also shifted irreversibly. The same digitalization, connectivity, and uniformity in OT that is enhancing efficiency and reliability for infrastructure owners and operators is also adding risk.” 

He added that to adequately defend water systems and other infrastructure against threats and adversaries, the community must invest in and prioritize the cybersecurity of OT and ICS networks using security controls that have demonstrated success against actual threats. 

Finally, Lee added that the public and private sectors must work together using unique capabilities and expertise to ensure that water and wastewater organizations have the tools and resources they need to protect their systems. “But all of this is predicated on addressing the economics and awareness of issues that exist at our local municipalities and town water systems.”

Last week, the U.S. House Energy and Commerce Environment, Manufacturing, and Critical Materials Subcommittee conducted a hearing on safeguarding the nation’s drinking water infrastructure from cyberattacks. The latest hearing comes as a follow-up to last year’s May hearing held by the Subcommittee on Oversight and Investigations, at which the U.S. Environmental Protection Agency (EPA) testified.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation